Christopher Wray said encryption on devices was "a huge, huge problem" for FBI investigations. The agency had failed to access more than half of the devices it targeted in an 11-month period, he said. One cyber-security expert said such encryption was now a "fact of life".
Many smartphones encrypt their contents when locked, as standard - a security feature that often prevents even the phones' manufacturers from accessing data. Such encryption is different to end-to-end encryption, which prevents interception of communications on a large scale.Read more
A post-intrusion technique developed by researchers at CyberArk Labs called BoundHooking allows attackers to exploit a feature in all Intel chips introduced since Skylake. The attack technique allows for the execution of code from any process without detection by antivirus software or other security measures, researchers said.
According to CyberArk, a BoundHooking attack exploits the Intel feature called Memory Protection Extension (MPX) to hook function calls that pass between software components. That allows for an adversary to manipulate and spy on a wide range of Windows applications.Read more
A bug that has been confirmed on both iOS 11 and iOS 11.1 beta allows hackers to bypass the passcode of an iPhone and access the photos stored in the gallery by simply dialing your phone number.
Discovered by YouTube iDeviceHelp, this bug can be exploited by dialing the phone number of the locked iPhone. To gain unauthorized access, the exploit also involves invoking Siri, so if the digital assistant is disabled on your device, you’re on the safe side. As you can see for yourselves in the video at the end of the article, the method is quite complex and even though it’s hard to believe that someone would discover it by mistake.Read more
Google has booted eight Android apps from its Play marketplace, even though the apps have been downloaded as many as 2.6 million times. The industry giant took action after researchers found that the apps add devices to a botnet and can perform denial-of-service attacks or other malicious actions.
The stated purpose of the apps is to provide a skin that can modify the look of characters in the popular Minecraft: Pocket Edition game. Under the hood, the apps contain highly camouflaged malware known as Android.Sockbot, which connects infected devices to developer-controlled servers.Read more
Some smartwatches designed for children have security flaws that make them vulnerable to hackers, a watchdog has warned. The Norwegian Consumer Council tested watches from brands including Gator and GPS for Kids.
It said it discovered that attackers could track, eavesdrop or even communicate with the wearers. The manufacturers involved insist the problems have either already been resolved or are being addressed. UK retailer John Lewis has withdrawn one of the named smartwatch models from sale in response. The smartwatches tested essentially serve as basic smartphones, allowing parents to track their location.Read more
Researchers are warning that the group behind Necurs, one of the most venerable malware spamming operations, has added functions to its toolkit to gain new insight into its victims.
Necurs is a botnet, a vast network of hacked computers used in this case to email malware to new victims. The malware includes TrickBot, which is designed to steal banking credentials, and Locky, a form of ransomware. Researchers at Symantec announced Tuesday that in addition to its recent updates to Locky and TrickBot, the Necurs group added some updates to the program used to download Locky and TrickBot onto new systems.Read more
A new exploit can allow attackers to read Wi-Fi traffic between devices and wireless access points, and even modify it to inject malware into websites. Researchers have started disclosing security vulnerabilities, and it looks like Android and Linux-based devices are the worst affected by them.
Researchers also claim some of the attack works against all modern Wi-Fi networks using WPA or WPA 2 encryption, and that the weakness is in the Wi-Fi standard itself so it affects macOS, Windows, iOS, Android, and Linux devices. Intercepting traffic lets attackers read information that was previously assumed to be safely encrypted.Read more
The security protocol used to protect the vast majority of wifi connections has been broken, potentially exposing wireless internet traffic to malicious eavesdroppers and attacks, according to the researcher who discovered the weakness.
Mathy Vanhoef, a security expert at Belgian university KU Leuven, discovered the weakness in the wireless security protocol WPA2, and published details of the flaw on Monday morning. “Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted, this can be abused to steal sensitive information.” Vanhoef’s report said.Read more
The NSA’s hackers have a problem. Last week, multiple outlets reported that its elite Tailored Access Operations unit—tasked with breaking into foreign networks—suffered another serious data breach.
The theft of computer code and other material by an employee in 2015 allowed the Russian government to more easily detect U.S. cyber operations. It’s potentially the fourth large-scale incident at the NSA to be revealed in the last five years. Now, sources with direct knowledge of TAO’s security procedures in the recent past tell just how porous some of the defenses were to keep workers from stealing sensitive information.Read more
One of iOS' rougher edges are the popups it produces on a regular but seemingly random basis. These popups require users to enter their Apple ID before they can install or update an app or complete some other mundane task.
The prompts have grown so common most people don't think twice about them. Mobile app developer Felix Krause makes a compelling case that these popups represent a potential security hole through which attackers can steal user credentials. In a blog post published Tuesday, he showed side-by-side comparisons, pictured above, of an official popup produced by iOS and a proof-of-concept phishing popup.Read more